DifferentCTF

99b4bb990a4cb3ce7d1578ba173959a7.png

Target IP: 10.10.90.9
Challenge Description:
5bb51d15c8251583ca4c9a09eda36e02.png


Reconnaissance

065007f6c56aa8b92306e0a09fee3767.png
Performing a port scan shows there are two TCP ports open on the target machine, as shown above.

e9d53f4737be01a708b66982c1458410.png
Doing an aggressive port scan against the two TCP ports returns the result above. The HTTP application on port 80 seems to be running WordPress 5.6 according to the scan.

┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Revisit/DifferentCTF]
└─$ sudo nmap -sV -A 10.10.90.9 -p 21,80 --script=vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 11:26 EDT
Nmap scan report for 10.10.90.9
Host is up (0.024s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.90.9
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.90.9:80/
|     Form id: 
|_    Form action: http://adana.thm/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-wordpress-users: 
| Username found: hakanbey01
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /phpmyadmin/: phpMyAdmin
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 5.6
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Unix
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Revisit/DifferentCTF]
└─$ sudo nmap -sV -A 10.10.90.9 -p 21,80 --script=vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 11:26 EDT
Nmap scan report for 10.10.90.9
Host is up (0.024s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.90.9
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.90.9:80/
|     Form id: 
|_    Form action: http://adana.thm/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-wordpress-users: 
| Username found: hakanbey01
|_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit'
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /phpmyadmin/: phpMyAdmin
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 5.6
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Unix

Testing for any vulnerabilities with the nmap returns the interesting result above. The hostname seems to be adana.thm. And there is a WordPress user called hakanbey01. I inserted 10.10.90.9 adana.thm inside my /etc/hosts file. Time to enumerate further.


Enumeration

Port 80: HTTP
84d820ef7b4736a520010180623127db.png
Browsing to the web application on port 80 displays the WordPress webpage above. This page contains the username hakanbey01, which I already found from reconaissance. I did not find anything important when I checked the source-code of the application.

72d816d5a47392f198f2244135f30bc8.png
Doing a basic directory search against the target machine returns the interesting result above. I find the directory /announcements/ interesting.

4e5db964d2cd997138dae973b94dd704.png
Browsing to /announcements/ directory returns the webpage above. This page contains two files: austrailian-bulldog-ant.jpg and wordlist.txt. The second file contains a bunch of passwords. Maybe I can use this password file against the WordPress application for valid credentials? Or does the image contain hidden data?

b4827c21aa0ac4a94da26592e7eba4d0.png
Using stegcracker and the password file, I managed to obtain the hidden data file with the name austrailian-bulldog-ant.jpg.out inside the austrailian-bulldog-ant.jpg image file.

ab8acb656b9ea338dbcec3c8639c600a.png
The content of the hidden file is shown above. It is encoded in base64. Using the command base64 -d, I decoded it and obtained the plaintext above. This plaintext contains the credentials of FTP? I know FTP is open on the target machine.

Port 21: FTP
7477ec979ef3002291cd479309d56c81.png
Using the credentials hakanftp:123adanacrack, I managed to successfully gain entry to the FTP application on the target machine. I know wp-config.php contains credentials. Maybe this contains the credentials of the WordPress application?


Exploitation

a3bde6cade7812c102ea93d7cd21b66f.png
Using the command mget wp-config.php from the FTP session, I downloaded a copy of the wp-config.php on my machine. The content of this file is shown above. It contains the credentials phpmyadmin:12345 of the phpMyAdmin.

c96da3bfa0919e7d6cf82bea36950177.png
I browsed to http://www.adana.thm/phpmyadmin and logged in with the credentials phpmyadmin:12345. Now I have access to this web application. I notice there are two interesting databases: phpmyadmin and phpmyadmin1, as shown above. Both of the tables seem to contain the table wp_users.

6b91bb0a6134200fbbff75289131643d.png
In the image above, I now have the password hash of the user hakanbey01. However, I am unable to crack this password hash.

47b638c3a495f463dfe9af5d811f41d5.png
I created a text file called test.txt with the content hello. Then using another FTP session, I tried uploading the file and it worked. I can successfully upload items to the target machine. But when I try to access the file by http://adana.thm/wp-content/test.txt or http://adana.thm/test.txt, it does not work even though the remote directory is /.

cc03e39c3d25e7efcf36930907c3ff28.png
I enumerated further. The wp_options table contains the interesting entry highlighted above. Is this a subdomain? I added this in my /etc/hosts file. Maybe I can access my test.txt file at http://subdomain.adana.thm/test.txt?

d99e50f60e19aa2a61a858a2f58c26b5.png
And bingo! I had to change the permission of the file to 777 to access it. Now I can access the test file at http://subdomain.adana.thm/test.txt. Time to upload a reverse shell.

3433f1120a03f48bc8a65feb0fe03b10.png
I made a copy of the PHP Pentest Monkey reverse shell script with the name shell.php. Then using the FTP application on the target machine, I uploaded this reverse shell. I also changed the permission of the file to 777, so it is executable.

313ac4c3258e62d4502a5c54bcf7495a.png
I started a listener on my machine at port 8444. Then I browsed to http://subdomain.adana.thm/shell.php and got a hit! Now I have a foothold on the target machine with the session as www-data, as shown above.


Privilege Escalation

6794339ccd3c149893d7138ce73b5c91.png
There is one user called hakanbey, but I am unable to browse to this user's home directory. The SSH is not open on the target machine either, so I cannot bruteforce their password. However, the task mentions sucrack which is a password bruteforcing tool. Maybe I can transfer it to the target machine and run it against this user? I transferred sucrack and the original wordlist.txt to the target machine and executed it. But I had no luck.

53d84f2735ba9f65abee5cc406700d37.png
However, I noticed all the passwords I obtained previously started with 123adana. I created the Hashcat rule ^a^n^a^d^a^3^2^1 that adds 123adana at the beginning of each password. The password file I used is the wordlist.txt from the hidden directory. The new passwords are stored in a file called newwordlist.txt as shown above.

695e249e7f7412e7d96ac15f4c3a59b0.png
I transferred the new newwordlist.txt passwords list. Using sucrack, I managed to bruteforce the password 123adanasubaru of the user hakanbey as shown above.

8d3d91a96a2cd1de9ea41f05c409c671.png
And using the new password, I managed to successfully switch to this new user hakanbey as shown above. I have successfully elevated my privileges horizontally from www-data to hakanbey.

3ce9c1a32ba0dc9702c1aed0a6f5d129.png
Running find / -perm -u=s -type f 2>/dev/null shows an unusual entry called /usr/bin/binary as shown above.

d9c7f46abc33ae73893ffe25dd5f1ba9.png
I transferred the binary application to my machine. Running strings on it shows the interesting strings above. There is some sort of hint and image. Maybe ltrace will help?

5e1a07541f80595a18fb1e7e1788c801.png
I ran ltrace on the binary and obtained the crucial information above. It looks like the application expects the input string to be warzoneinadana.

fb19bdba718d6645341fe7946ac0809f.png
And after inputting the required string, another set of hint is provided as shown in the image above. An image from the directory of user root is copied to the /home/hakanbey/Desktop as shown above. The hint Hexeditor 00000020 with Cyberchef is interesting.

d58bec58579b230c893c27f530b825c9.png
And browsing to home/hakanbey/Desktop proves true. The image has been successfully copied. I transferred this image to my machine.

06c509392c8545abad6147e10767c3da.png
Using hexeditor, I looked at the content of 00000020 and obtained FE E9 9D 3D 79 18 5F FC 82 6D DF 1C 69 AC C2 75 as shown above.

9669fb92c929186df2104390035edf8d.png
And after some manual tries, I managed to obtain the plaintext root:Go0odJo0BbBro0o. This looks like the credentials of the user root. I had to convert it from hex to base85 to obtain the credentials of the user root.

b4b651c0e83d08e54a9fdb1ad899cf4a.png
And bingo! Now I have root access on the target machine. GG.


Flags

75b772baae69ad3bccd6d87a4ca75c56.png
The web.txt flag is shown above after gaining a foothold on the target machine with the session as www-data.

b7cae2ef92110b543078f37c564f317a.png
The user.txt flag is shown above after elevating privileges to hakanbey user.

7629ee27ab47796823c18e3861c04fc9.png
The root.txt flag is shown above.